• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

My AntiSpyware

Free antispyware software, Online Scanners, Instructions on how to remove spyware and malware.

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools
Home › Exploits & Vulnerabilities › 100 confirmed sites now using the IE vulnerability

100 confirmed sites now using the IE vulnerability

Myantispyware team March 24, 2006     No Comment    

100 confirmed sites now using the IE vulnerability, as reported on security lists by Dan Hubbard (alert) at WebSense and Joe Stewart at Lurhq.

These can be very nasty. SunBelt analysed one site – www(dot)textrum(dot)se (since shutdown):
The exploit calls a file, updater.exe. It file is W32/Spybot (W32/Backdoor, Adware.NaviPromo.M)
Norman sandbox report:

Found Sandbox: W32/Backdoor; [ General information ]

* Anti debug/emulation code present.
* Creating several executable files on hard-drive.
* File length: 46644 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\Updater.exe.
* Creates directory C:\WINDOWS\SYSTEM32\kazaabackupfiles.
* Creates file C:\WINDOWS\SYSTEM32\kazaabackupfiles\download_me.exe.

[ Changes to registry ]
* Creates value “Windsupdate”=”Updater.exe” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce”.
* Creates value “Windsupdate”=”Updater.exe” in key “HKLM\Software\Microsoft\Windows\CurrentVersion\Run”.
* Modifies value “Dir0″=”012345:C:\WINDOWS\SYSTEM32\kazaabackupfiles\” in key “HKCU\Software\Kazaa\LocalContent”.

[ Network services ]
* Connects to “kronkrak.servequake.com” on port 6667 (IP).
* Connects to IRC server.
* IRC: Uses nickname CurrentUser7.
* IRC: Uses username CurrentUser7.

[ Security issues ]
* Possible backdoor functionality [Authenticate] port 113.

[ Process/window information ]
* Enumerates running processes.
* Will automatically restart after boot (I’ll be back…).
* Attemps to open C:\WINDOWS\SYSTEM32\Updater.exe NULL.
* Enumerates running processes several parses….
* Creates a mutex coolbot1.c4.

There is no patch available for this exploit. The only way to avoid it is
– turn off Active Scripting
– use a non-IE browser (although the latest version of IE 7, the March 20 beta 2 preview, is not affected).
Your standard protections should be in place — antivirus, firewall, antispyware.

Exploits & Vulnerabilities

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

Leave a Reply Cancel reply




New Guides

Lilola Recliner Scam text
Lilola Recliner Scam Text Explained
goog.uthyforemplo.xyz malicious
Track Click Crystal pop-up redirect (Virus removal guide)
Datingsecret.top Click Allow Scam
Datingsecret.top Virus Removal Guide
SaveFrom Video Downloader
Is Savefrom.net Safe? Savefrom.net Virus Removal Guide
Pharmaddscompany.com Click Allow Scam
Pharmaddscompany.com Virus Removal Guide

Follow Us

Search

Useful Guides

Files encrypted by ransomware become useless
How To Recover Encrypted Files (Ransomware file recovery)
DNSChanger
How to remove DNSChanger malware virus [Updated Apr. 2018]
browser redirect virus
How to remove Browser redirect virus [Chrome, Firefox, IE, Edge]
ads by adware
How to remove Adware from Windows 10 (Virus removal guide)
How to reset Mozilla Firefox (Updated Apr. 2018)

Recent Posts

RealNetworks Products Multiple Buffer Overflow Vulnerabilities
New Internet Explorer vulnerability
Top 10 spyware threats discovered for last 24 hours
Coolwebsearch.info – new site from the Coolwebsearch family
New unpatched vulnerability in the Internet Explorer (mshtml.dll) found

MYANTISPYWARE.COM

  • About Us
  • Contact Us
  • Privacy Policy

NEED A HELP ?

If you're seeing unwanted pop-ups or ads in your web-browser, you might have an adware installed on your computer. Use the following guide to stop pop-up ads and remove malicious software. Or ask for help here.

Links

  • Downloads
  • Instructions
  • Questions and Answers
  • Free Malware Removal Tools
Copyright © 2004 - 2022 Myantispyware.com - Free antispyware programs and Spyware Removal Instructions.